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This listing of claims will replace all prior versions, and listings, of claims in the application. 
Listing of Claims: 

1. (Canceled) 

2. (New) A system that detects the state of a computer network, comprising: 

at least one agent disposed in said computer network, each said agent comprising: 

data collection means for passively collecting, monitoring, and aggregating data 
representative of activities of respective nodes within said computer network; 

means responsive to the data from the data collection means for analyzing said data to 
develop activity models representative of activities of said network in a normal state and 
activities of said network in an abnormal state; and 

means for comparing collected data to said activity models to determine the state of 
said computer network at different times and to dynamically update said activity models. 

3. (New) The system of claim 2, wherein said at least one agent comprises a plurality 
of distributed agents. 

4. (New) The system of claim 2, wherein said data collection means collects data 
representative of operation of said computer network, including respective nodes in said 
computer network, said data relating to communications, intemal and external accesses, code 
execution functions, and/or network resource conditions of respective nodes in said computer 
network. 

5. (New) The system of claim 2, wherein said activity models characterize conditions 
within said computer network including behaviors, events, and/or functions of respective 
nodes of said computer network, said behaviors representative of said normal state and one or 
more abnormal states representative of suspicious activity in said computer network. 

6. (New) The system of claim 2, further comprising means for characterizing the state 
of the computer network and identifying any potential threats based on said collected data. 
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7. (New) The system of claim 6, wherein said characterizing means further 
recommends remedial repair and/or recovery strategies to isolate and/or neutralize the 
identified potential threats to the computer system. 

8. (New) The system of claim 2, wherein respective agents are connected by 
redundant conmiunications connections. 

9. (New) The system of claim 2, wherein each agent is implemented in redundant 
memory and hardware that is adapted to be insulated from infected components of said 
computer network. 

10. (New) The system of claim 2, wherein the agents a plurality of agents are 
disposed in a hierarchical structure whereby communications from bottom level agents to 
agents at higher levels in the hierarchy are limited. 

11. (New) The system of claim 2, further comprising means for predictively modeling 
the behavior of said computer network based on sequentially occurring behavior pattems in 
the data collected by said data collection means. 

12. (New) The system of claim 2, wherein said comparing means comprises means 
for pattem matching collected data with data in said activity models to determine a closest 
activity model based upon similarity of the data in each data model with the collected data. 

13. (New) The system of claim 2, wherein the collected data represents actions of a 
virus, system responses to actions of a virus, actions of a hacker, system responses to actions 
of a hacker, threats directed to discrete objects in said computer network, and/or potential 
triggers of a virus or threat to said computer network. 
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14. (New) The system of claim 2, wherein said analyzing means for each agent filters 
and analyzes received data and dynamically redistributes the analyzed and filtered data to 
other agents associated with said each agent. 

15. (New) The system of claim 2, wherein said analyzing means performs a pattem 
analysis on the collected data and said comparing means compares the results of the pattem 
analysis to the results of pattem matching by analyzing means of other agents to identify 
similar patterns of suspicious activity in different portions of the computer network. 

16. (New) The system of claim 2, wherein the comparing means compares names and 
email addresses in said collected data against known criminal, hoaxsters and/or aliases for 
known criminals and hoaxsters. 

17. (New) The system of claim 2, further comprising a trusted server that receives 
attack data from a plurality of agents identifying abnormal states indicative of a network 
attack, said tmsted server gathering the attack data and sending warnings to selected nodes in 
said computer network. 

18. (New) A method of detecting the state of a computer network, comprising: 
providing at least one agent disposed in said computer network to passively collect, 

monitor, and aggregate data representative of activities of respective nodes within said 
computer network; 

analyzing said data to develop activity models representative of activities of said 
network in a normal state and activities of said network in an abnormal state; and 

comparing collected data to said activity models to determine the state of said 
computer network at different times and to dynamically update said activity models. 

19. (New) The method of claim 18, wherein the at least one agent reports any 
suspicious activity that exceeds a suspicion threshold. 
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20. (New) The method of claim 19, wherein the at least one agent transmits said 
analyzed data in order to determine an origin of the suspicious activity in the computer 
network. 

21. (New) The method of claim 20, further comprising scanning said analyzed data 
for patterns and comparing said patterns to data representative of patterns of known threats to 
said computer network for identification of said suspicious activity. 
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